For years, hackers and cyber criminals have eyed ATM machines – especially standalone machines not located inside a bank – as potential targets for their financial scams. The latest security hack is known as jackpotting, and it involves infecting an ATM machine with malware so that it will dispense hundreds of thousands of dollars at one time, just as if you had won a casino jackpot.
A short history of jackpotting
In January 2018, the first massive jackpotting attacks were carried out on U.S. ATM machines, raising the very real concern among U.S. law enforcement officials that international groups of cyber thieves might be planning a coordinated attack against the nation’s nearly 400,000 ATM machines. This follows a string of jackpotting attacks in Mexico and Central America, and before that, in Europe and Asia.
In one of the most highly-publicized jackpotting attacks, cyber criminals were able to make off with nearly $2 million in cash in Taiwan. Worldwide, security experts now believe that cyber criminals have made off with more than $10 million in stolen cash. A typical jackpotting attack relies on a combination of software and hardware, and requires physical access to a machine for an extended period of time in order to install malware.
Until recently, it was assumed that these jackpotting attacks could only take place in nations where ATM operators or bank officials could be bribed to turn a blind eye while cyber thieves were installing the malware and walking away with bags of cash. In some cases, jackpotting thieves have dressed up as security technicians in order to take over a hacked ATM machine, right in front of unsuspecting customers.
How jackpotting works
The essence of a jackpotting attack is simple – it requires a physical override of the instructions inside the ATM that tell it how much cash it can dispense at one time. In most cases, ATM machines can only dispense a few hundred dollars at one time – a request for additional funds usually requires a visit inside the bank branch for some sort of security clearance.
But in the case of jackpotting, the amount of cash that can be dispensed at one time is only limited by the amount of physical cash inside the machine itself. Security officials have noted that as many as 40 bills can be dispensed every 23 seconds. Thus, assuming those bills are all nice, crisp $100 bills, that means a basic jackpotting attack could result in nearly $10,000 within minutes.
However, targeting ATMs for a successful jackpotting attack is harder than it sounds. The first step is getting access to the computer hard drive inside the ATM, and this usually requires some sort of tiny camera that can be inserted into the ATM to figure out where to attach a cable. Then, the computer inside the ATM is connected to a computer outside the computer. From there, sophisticated malware is added to the ATM, with instructions that force the machine to allow more cash to be dispensed than typically authorized. For that reason, these attacks are sometimes known as “logical attacks” – they are literally overriding the logic of the machines.
The next step is to send instructions to the ATM to go off-line – the screen will flash an “out of order” message so that other users won’t use the machine. Then cyber thieves show up at the machine with a bag big enough to walk away with the cash; simultaneously, a signal is sent from a remote computer to trigger the ATM to spit out cash.